| name | description | category |
|---|---|---|
Security & Privacy |
Security decisions for public repository exposure, gitignored files, and sensitive data handling. |
operations |
This document explains the security decisions made when this repository was made public, and why certain files are gitignored.
Last Updated: February 2026 (v2.6.0)
Before making this repository public, a comprehensive security audit was performed. This document explains what was done and why, to prevent future maintainers from accidentally reverting these protections.
| Item | Files | Reason |
|---|---|---|
.archive/ folder |
139 files | Contained personal project data, client info, emails |
settings.json (root) |
Initially removed, then restored | Toolkit config - SHOULD be tracked |
vscode/settings.json |
1 file | Contained hardcoded paths and local network IPs |
.vscode/ folder |
Entire folder | Standard VSCode workspace folder with machine-specific config |
| Git history | All traces | Used git-filter-repo to purge sensitive data from history |
| Item | Reason |
|---|---|
settings.json |
Claude Code toolkit configuration (permissions, hooks, plugins) - essential for the toolkit |
vscode/setup-vscode-settings.ps1 |
Portable setup script - doesn't contain personal data |
vscode/README.md |
Documentation - no sensitive data |
| Pattern | Why It's Ignored |
|---|---|
.archive/ |
Personal project archives, client data, emails |
.vscode/ |
VSCode workspace folder - auto-generated, machine-specific |
vscode/settings.json |
VSCode IDE settings with hardcoded paths and local IPs |
settings.local.json |
Personal override file - machine-specific |
.mcp.json |
MCP server config - platform-specific commands |
.claude.json |
MCP backup - machine-specific |
Problem: Contained 139 files including:
- Personal project CLAUDE.md files with client names
- Email addresses (e.g., client emails in project docs)
- Project-specific configurations with identifying information
Solution:
- Added to
.gitignore - Removed from Git tracking
- Rewrote Git history to purge all traces
Impact: Users who fork this repo won't inherit personal project data.
Problem: Two folders with similar names but different purposes:
.vscode/(with dot) - Standard VSCode workspace folder, auto-createdvscode/(without dot) - Our custom setup scripts folder
The .vscode/ folder contained settings.json with:
- Hardcoded user paths (
C:\Users\tjn\.claude) - Local network IPs (
192.168.1.40) - Remote SSH host configurations
Solution:
- Entire
.vscode/folder gitignored - Our
vscode/folder tracked (butsettings.jsonwithin it gitignored) - Clear documentation distinguishing the two
Impact: Machine-specific VSCode configurations don't leak to public repo.
Problem: VSCode settings file contained:
"git.scanRepositories": ["C:\\Users\\tjn\\.claude", "."],
"security.allowedUNCHosts": ["192.168.1.40"],
"remote.SSH.remotePlatform": {
"192.168.1.10": "windows",
"192.168.1.40": "linux"
}Solution:
- Gitignored the file
- Users create their own after cloning
- Setup script helps configure it
Impact: Local network topology not exposed.
Important: This file IS tracked and SHOULD remain tracked.
Why it's different: Unlike vscode/settings.json, the root settings.json contains Claude Code toolkit configuration:
- Permission allow/deny lists
- Enabled plugins
- Hook configurations
- MCP server defaults
These are not personal data - they're the toolkit's functionality configuration that users want when cloning this repo.
Used git-filter-repo to completely remove sensitive files from Git history:
# Remove .archive/ from all history
python -m git_filter_repo --invert-paths --path .archive/ --force
# Remove settings files from all history
python -m git_filter_repo --invert-paths --path settings.json --path vscode/settings.json --forceEven if files are deleted in the latest commit, they remain in Git history. Anyone can:
- Clone the repo
- Run
git log --all --oneline -- .archive/ - Checkout historical commits
- Access the "deleted" files
History rewriting ensures complete removal.
git-filter-repo removes the origin remote for safety. After running it:
git remote add origin https://github.com/travisjneuman/.claude.git
git push --force origin masterAsk yourself:
- Does this file contain hardcoded paths?
- Does this file contain IP addresses?
- Does this file contain email addresses or client names?
- Is this file auto-generated by an IDE?
- Would another user's version of this file conflict?
If ANY answer is yes, the file should probably stay gitignored.
- Review this document first
- Check the file for personal/machine-specific data
- Consider whether tracking benefits outweigh privacy risks
- Document your decision if you make changes
Watch for these patterns that indicate a file should NOT be tracked:
C:\Users\<username>\- Windows user paths/Users/<username>/- macOS user paths/home/<username>/- Linux user paths192.168.x.x- Local network IPs10.x.x.x- Private network IPs- Email addresses
- API keys or tokens
- Client/project names
# Verify specific files are ignored
git check-ignore -v .vscode/settings.json vscode/settings.json
# List all ignored files
git status --ignored# Should return empty if properly cleaned
git log --all --oneline -- .archive/
git log --all --oneline -- vscode/settings.json# Search for IP addresses
grep -r "192\.168\." --include="*.json" --include="*.md"
# Search for user paths (adjust username)
grep -r "C:\\\\Users\\\\tjn" --include="*.json" --include="*.md"| File/Folder | Status | Reason |
|---|---|---|
settings.json |
✅ Tracked | Toolkit config (permissions, hooks) |
settings.local.json |
❌ Gitignored | Personal overrides |
vscode/README.md |
✅ Tracked | Documentation |
vscode/setup-vscode-settings.ps1 |
✅ Tracked | Portable setup script |
vscode/settings.json |
❌ Gitignored | Contains local paths/IPs |
.vscode/ |
❌ Gitignored | VSCode workspace folder |
.archive/ |
❌ Gitignored | Personal project archives |
.mcp.json |
❌ Gitignored | Platform-specific MCP config |
plans/ |
❌ Gitignored | User-specific planning docs |
tasks/ |
❌ Gitignored | User-specific task files |
- FOLDER-STRUCTURE.md - Complete folder map
- CONFIGURATION.md - Settings file details
- ../vscode/README.md - VSCode setup instructions